Results 1 to 10 of 10

Thread: HOWTO: Blowfish passwords && password checks

Threaded View

  1. November 15th, 2006 #1
    NiN
    NiN is offline Just Give Me the Beans!
    Join Date
    Sep 2005
    Beans
    52

    HOWTO: Blowfish passwords && password checks

    Ubuntu uses per default md5 hashed passwords.
    md5 is a 128bit hash and nowadays not too secure anymore.
    http://en.wikipedia.org/wiki/Md5 has a description of hash collisions.

    There is support for an alternate hash, blowfish. This has proven quite secure in openbsd.

    To enable it, you have to install libpam-unix2.
    Code:
    apt-get install libpam-unix2
    Next replace all references of pam_unix.so with pam_unix2.so in all files under /etc/pam.d

    Note: The number of references in the files depends on installed pam modules.

    In common-password add the following:
    Code:
    password required      pam_unix2.so nullok use_authok obscure min=9 max=72     blowfish
    To enable password checks when changing passwords, install
    libpam-passwdqc
    and add the following to your /etc/pam.d/common-password:
    Code:
    apt-get install libpam-passwdqc
    edit /etc/pam.d/common-password and add
    Code:
    password required      pam_passwdqc.so max=72 similar=deny enforce=everyone retry=2 ask_oldauthtok=update check_oldauthtok
    for a list of options look at http://www.die.net/doc/linux/man/man...asswdqc.8.html.

    Note: To finalize the changes, all passwords have to be reentered!!
    If you restart at this point, you will be unable to log in again!
    Set a new password with the passwd command ( can be the same as before, but it has to be reset to use the new hash!)

    Problems: For those of you in trouble after a reboot:
    you can boot to your system without a password, if you append a init=/bin/bash to your grub kernel parameter.
    To enter that, type "e" at the grup prompt and you can edit the entry.

    IMPORTANT: This does only secure Ubuntu passwords! You still can log in with things like knoppix or other methods like deskribed above!
    For a fully secured system you have to encrypt harddrives!

    [update]
    There have been some problems (experienced by me and others) when using gnome-screensaver.
    The problem relies in the libpam-unix2 package. It does not feature a equivalent for unix_checkpwd.

    There are already bugreports at https://bugs.launchpad.net/ubuntu/+s...ix2/+bug/82518 and https://bugs.launchpad.net/ubuntu/+s...x2/+bug/106670.

    Someone willing to try can compile the patch from novell and try out the unix2_checkpwd program and report back.
    Last edited by NiN; June 13th, 2007 at 07:54 PM. Reason: make it look prettier
« Previous Thread | Next Thread »

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Ubuntu Forums Code of Conduct